Tools

Credential Scanner (CredScan)—tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files.

Microsoft Threat Modeling Tool—tool to create and analyze threat models by communicating about the security design of their systems, analyzing those designs for potential security issues using a proven methodology, and suggesting and managing mitigations for security issues.

BinSkim—verification tool that analyzes binaries to ensure that they have been built in compliance with the SDL requirements and recommendations.

Roslyn Analyzers—analyzers to analyze code at build time, like static code analysis if it's enabled, but also live as you type. Roslyn analyzers can also provide design-time analysis of code files that aren't open in the editor if you enable full solution analysis.

Code Analysis for C/C++—static analyzer that is provided with the installation of Visual Studio Team System Development Edition or Azure DevOps and helps to detect and correct code defects.

Microsoft DevSkim—framework of IDE extensions and language analyzers that provide inline security analysis in the dev environment as the developer writes code.

Legacy archive

SDL Quick Security References (QSRs)—a basic reference series designed to address common vulnerabilities from the perspective of multiple business roles: business decision maker, architect, developer, and tester/QA.

SDL Banned Function Calls—compiled library of known potentially dangerous functions that should be removed to reduce vulnerabilities as part of your SDL practices.

FxCop—static analyzer that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.

Microsoft Application Verifier—runtime verification tool (works with clients up to Windows 7) for native code that assists in finding subtle programming errors that can be difficult to identify with normal application testing.